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This paper offers a survey of Uppaal-SMC, a major extension of the real-time verification tool 
Uppaal. Uppaal-smc allows for the efficient analysis of performance properties of networks of 
priced timed automata under a natural stochastic semantics. In particular, Uppaal-SMC relies on 
a series of extensions of the statistical model checking approach generalized to handle real-time 
systems and estimate undecidable problems. Uppaal-SMC comes together with a friendly user 
interface that allows a user to specify complex problems in an efficient manner as well as to get 
feedback in the form of probability distributions and compare probabilities to analyze performance 
aspects of systems. The focus of the survey is on the evolution of the tool - including modeling and 
specification formalisms as well as techniques applied - together with applications of the tool to case 
studies. 

1 Introduction 

Quantitative properties of stochastic systems are usually specified in logics that allow one to compare the 
measure of executions satisfying certain temporal properties with thresholds. The model checking prob- 
lem for stochastic systems with respect to such logics is typically solved by a numerical approach ll3l[T4l 
that iteratively computes (or approximates) the exact measure of paths satisfying relevant sub-formulas; 
the algorithms themselves depend on the class of systems being analyzed as well as the logic used for 
specifying the properties. 

Another approach to solve the model checking problem is to simulate the system for finitely many 
runs, and use hypothesis testing to infer whether the samples provide a statistical evidence for the sat- 
isfaction or violation of the specification PPOl . The crux of this approach is that since sample runs of 
a stochastic system are drawn according to the distribution defined by the system, they can be used to 
get estimates of the probability measure on executions. Those techniques, also called Statistical Model 
Checking techniques (SMC) ||26l[36l|40l[35l, can be seen as a trade-off between testing and formal veri- 
fication. In fact, SMC is very similar to Monte Carlo used in industry, but it relies on a formal model of 
the system. The core idea of SMC is to monitor a number of simulations of a system whose behaviors de- 
pend on a stochastic semantic. Then, one uses the results of statistics (e.g. sequential hypothesis testing 
or Monte Carlo) together with the simulations to get an overall estimate of the probability that the system 
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will behave in some manner. While the idea resembles the one of classical Monte Carlo simulation, it is 
based on a formal semantic of systems that allows us to reason on very complex behavioral properties 
of systems (hence the terminology). This includes classical reachability properties such as "can I reach 
such a state?", but also non trivial properties such as "can I reach this state x times in less than y units 
of time?". Of course, in contrast with an exhaustive approach, such a simulation-based solution does not 
guarantee a result with 100% confidence. However, it is possible to bound the probability of making an 
error. Simulation-based methods are known to be far less memory and time intensive than exhaustive 
ones, and are sometimes the only option 14111271 . 

Statistical model checking is now widely accepted in various research areas such as software engin- 
eering, in particular for industrial applications f5l[33l[T8l, or even for solving problems originating from 
systems biology fT7ll29l . There are several reasons for this success. First, SMC is very simple to under- 
stand, implement, and use. Second, it does not require extra modeling or specification effort, but simply 
an operational model of the system, that can be simulated and checked against state-based properties. 
Third, it allows us to verify properties ITSl [161 \5] that cannot be expressed in classical temporal logics. 
Finally, SMC allows to approximate undecidable problems. This latter observation is crucial. Indeed 
most of emerging problems such as energy consumption are undecidable [24 , 9 1 and can hence only be 
estimated. SMC has been applied to a wide range of problems that goes from embedded systems lITSi 
and systems biology [TS",!^ to more industrial applications [5]. 

In a series of recent works 1221 [1311211 . we have investigated the problem of Statistical Model Check- 
ing for networks of Priced Timed Automata (PTA). PTAs are timed automata, whose clocks can evolve 
with different rates, whil^ being used with no restrictions in guards and invariants. In ll2n . we have 
proposed a natural stochastic semantic for such automata, which allows to perform statistical model 
checking. Our work has later been implemented in Uppaal-SMC, that is a stochastic and statistical 
model checking extension of Uppaal. Uppaal-SMC relies on a series of extensions of the statistical 
model checking approach generalized to handle real-time systems and estimate undecidable problems. 
Uppaal-SMC comes together with a friendly user interface that allows a user to specify complex prob- 
lems in an efficient manner as well as to get feedback in the form of probability distributions and compare 
probabilities to analyze performance aspects of systems. 

The objective of this paper is to offer a survey of Uppaal-SMC. This includes modeling and spe- 
cification formalism as well as techniques applied - together with applications of the tool to case studies. 

Structure of the paper In Section|2l we introduce the formalism of networks of Priced timed automata. 
Section [3] provides an overview of some existing statistical model checking algorithms, while Sections 
HI and [5] introduce the GUI and give some details on the engine of Uppaal-SMC. Finally, Section [6] 
presents a series of applications for the tool-set and Section [7] concludes the paper. 

2 Modeling Formalism 

The new engine of Uppaal-SMC [22] supports the analysis of Priced Timed Automata (PTAs) that are 
timed automata whose clocks can evolve with different rates in different locations. In fact, the expressive 
power (up to timed bisimilarity) of NPTA equals that of general linear hybrid automata (LHA) |[ll, 
rendering most problems - including that of reachability - undecidable. We also assume PTAs are input- 
enabled, deterministic (with a probability measure defined on the sets of successors), and non-zeno. 



in contrast to the usual restriction of priced timed automata 171121 
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PTAs communicate via broadcast channels and shared variables to generate Networks of Price Timed 
Automata (NPTA). 

Fig- [J provides an NPTA with three components A, B, and T as 
specified using the Uppaal GUI. One can easily see that the compos- 
ite system {A\B\T) has the transition sequence: 

((Ao,Bo,ro),[x = 0,3' = 0,C = 0]) 
((Ai,Bo,2^i),[^=l,y-l,C-4]) 
{{AuBuT2),[x = 2,y^2,C = 6]), 

demonstrating that the final location of T is reachable. In fact, loc- 
ation Ti, is reachable within cost to 6 and within total time and 2 
in (A|B|r) depending on when (and in which order) A and B choose to 
perform the output actions a! and b\. Assuming that the choice of these 
time-delays is governed by probability distributions, a measure on sets 

of runs of NPTAs is induced, according to which quantitative properties such as "the probability of 
being reached within a total cost-bound of 4.3" become well-defined. 

In our early works ETTl . we provide a natural 
stochastic semantics, where PTA components associate 
probability distributions to both the time-delays spent 
in a given state as well as to the transition between 
states. In Uppaal-SMC uniform distributions are ap- 
plied for bounded delays and exponential distributions 
for the case where a component can remain indefinitely 
in a state. In a network of PTAs the components re- 
peatedly race against each other, i.e. they independ- 
ently and stochastically decide on their own how much 
to delay before outputting, with the "winner" being the 
component that chooses the minimum delay. For in- 
stance, in the NPTA of Fig. [TJ A wins the initial race 
over B with probability 0.75. 
As observed in 1211 . though the stochastic semantic of each individual PTA in Uppaal-SMC is rather 
simple (but quite realistic), arbitrarily complex stochastic behavior can be obtained by their composition 
when mixing individual distributions through message passing. The beauty of our model is that these 
distributions are naturally and automatically defined by the network of PTAs. 
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The Hammer Game To illustrate the stochastic semantics further consider the network of two priced 
timed automata in Fig. |3] modeling a competition between the two players Axel and Alex both having 
to hammer three nails down. As can be seen by the representing Work-locations the time (-interval) and 
rate of energy-consumption required for hammering a nail depends on the player and the nail-number. 
As expected Axel is initially quite fast and uses a lot of energy but becomes slow towards the last nail, 
somewhat in contrast to Alex. To make it an interesting competition, there is only one hammer illustrated 
by repeated competitions between the two players in the Ready-locations, where the slowest player has 
to wait in the Idle-location until the faster player has finished hammering the next nail. Interestingly, 
despite the somewhat different strategy applied, the best- and worst-case completion times are identical 
for Axel and Alex: 59 seconds and 150 seconds. So, there is no difference between the two players and 
their strategy, or is there? 
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Idle1 Idle2 Idle3 



a) Axel 




b) Alex ""^'^^ x<=13&&C'==2 '^^"''^ x<=12&&C'==3 "^^''^ x<=10&&C==4 

Figure 3: 3-Nail Hammer Game between Axel and Alex. 

Assume now that a third person wants to bet on who is the more likely winner - Axel or Alex - given 
a refined semantics, where the time-delay before performing an output is chosen stochastically (e.g. by 
drawing from a uniform distribution) and independently by each player (component). 

Under such a refined semantics there is a significant difference between the two players (Axel and 
Alex) in the Hammer Game. In Fig.HH) the probability distributions for either of the two players winning 
before a certain time is given. Though it is clear that Axel has a higher probability of winning than Alex 
(59% versus 41%) given unbounded time, declaring the competition a draw if it has not finished before 
50 seconds actually makes Alex the more likely winner. Similarly, Fig. |4j5) illustrates the probability 
of either of the two players winning given an upper bound on energy. With an unlimited amount of 
energy, clearly Axel is the most likely winner, whereas limiting the consumption of energy to maximum 
52 "energy-units" gives Alex an advantage. 
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Figure 4: Time- and Cost-dependent Probability of winning the Hammer Game 



Extended Input Language Uppaal-SMC takes as input NPTAs as described above. Additionally, 
there is support for other features of the Uppaal model checker's input language such as integer vari- 
ables, data structures and user-defined functions, which greatly ease modeling. Uppaal-SMC allows the 
user to specify an arbitrary (integer) rate for the clocks on any location. In addition, the automata support 
branching edges where weights can be added to give a distribution on discrete transitions. It is important 
to note that rates and weights may be general expressions that depend on the states and not just simple 
constants. 

To illustrate the extended input language, we consider a train-gate example. This example is available 
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in the distributed version of Uppaal-SMC. A number of trains are approaching a bridge on which there 
is only one track. To avoid collisions, a controller stops the trains. It restarts them when possible to 
make sure that trains will eventually cross the bridge. There are timing constraints for stopping the trains 
modeling the fact that it is not possible to stop trains instantly. The interesting point w.r.t. SMC is to 
define the arrival rates of these trains. Figure [3a) shows the template for a train. The location Safe 
has no invariant and defines the rate of the exponential distribution for delays. Trains delay according 
to this distribution and then approach and synchronize with appr [i] ! with the gate controller. Here 
we define the rational where id is the identifier of the train and N the number of trains. Rates are 
given by expressions that can depend on the current states. Trains with higher id arrive faster. Taking 
transitions from locations with invariants is given by a uniform distribution. This happens in Appr, 
Cross, and Start, e.g., it takes some time picked uniformly between 3 and 5 time units to cross the 
bridge. Figure (Hb) shows the gate controller that keeps track of the trains with an internal queue data- 
structure (not shown here). It uses functions to queue trains (when a train is approaching while the bridge 
is occupied in Occ) or dequeue them when possible (when the bridge is free and some train is queued). 




Figure 5: Template of a Train (a) and the Gate Controller (b). 



Floating Point Arithmetic For modeling certain systems, e.g., biological systems, integer arithmetic 
shows its precision limits very quickly. The current engine implements simple arithmetic operations on 
clocks as floating point variables. This allows various tricks, in particular the tool can compute nontrivial 
functions using small step integration. For example. Figure [6ta) shows a timed automaton with floating 
point arithmetic. The clocks sin_t and cos_t are used to compute sin{t) and cos{t) using simple facts 




(a) (b) (c) 

Figure 6: How to use clock arithmetic to integrate complex functions. 
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as sin{t + dt) ^ sin{t) + sin'{t)dt for small steps of dt — 0, whereas sin'{t) = cos{t) and sin{0) = 0, 
and similarly for cos{t). The interesting trick on the model is the high exponential rate (1000) that tells 
the engine to take small (random) time steps and record the duration in clock dt. The other clocks are 
stopped and updated on transition. The value evolution of variables sin_t and cos_t in terms of time 
are plotted in Figure[6tb). Figure[6tc) shows sin_t values with corresponding cos_t which form almost 
perfect circle. These plots are rendered using value monitoring features described in Section |4l 

3 Properties and Queries 

For specifying properties of NPTAs, we use weighted temporal properties over runs expressed in the 
logic WMTL£ lITOl (Weighted Metric Temporal Logic), defined by the grammar (p ::= ap\^(p\(p\ A 
<P2 I 0(p I (p\ U<^<i!>2, where ap is an atomic proposition, J is a natural number and x is a clock. Here, the 
logical operators are interpreted as usual, and is a next state operator. An WMTL< -formula <pi U<^(p2 
is satisfied by a run if (pi is satisfied on the run until 92 is satisfied, and this will happen before the value 
of the clock x increases with more than d. For an NPTA M we define Pm(V'^) to be the probability that a 
random run of M satisfies 

The problem of checking Pm(V^) > P ip S [0,1]) is unfortunately undecidable in general H For 
the sub-logic of cost-bounded reachability problems Fm{()x<c'P) ^ P^ where is a state-predicate, x is 
a clock and C is bound, we approximate the answer using simulation-based algorithms known under 
the name of statistical model checking algorithms. We briefly recap statistical algorithms permitting to 
answer the following three types of questions: 

1. Hypothesis Testing: Is the probability Pm(O.ic<c0) for a given NPTAM greater or equal to a certain 
threshold p € [0, 1] ? 

2. Probability evaluation: What is the probability Pm(Ojc<c0) for a given NPTA M? 

3. Probability comparison: Is the probability Pm(O.ic<c02) greater than the probability Pm(Ov<z)02]? 

From a conceptual point of view solving the above questions using SMC is simple. First, each run 
of the system is encoded as a Bernoulli random variable that is true if the run satisfies the property and 
false otherwise. Then a statistical algorithm groups the observations to answer the three questions. For 
the qualitative questions (1 and 3), we shall use sequential hypothesis testing, while for the quantitative 
question (2) we will use an estimation algorithm that resemble the classical Monte Carlo simulation. The 
two solutions are detailed hereafter. 

Hypothesis Testing This approach reduces the qualitative question to testing the hypothesis H . p = 
Pm(Ox<c0) > ^ against K : p <d.To bound the probability of making errors, we use strength parameters 
a and j8 and we test the hypothesis Hq : p > pQ and Hi : p < pi with pQ = 6 + 5o and pi = 6 — 5i. The 
interval po — pi defines an indifference region, and po and pi are used as thresholds in the algorithm. 
The parameter a is the probability of accepting Hq when H\ holds (false positives) and the parameter 
j8 is the probability of accepting Hi when Hq holds (false negatives). The above test can be solved by 
using Wald's sequential hypothesis testing [39,1 . This test computes a proportion r among those runs that 
satisfy the property. With probability 1, the value of the proportion will eventually cross log(j8 /(I — a) 
or log ( ( 1 — j8 ) /a ) and one of the two hypothesis will be selected. In Uppa AL- SMC we use the following 
query: Pr [bound] i<p)>=po, where bound defines how to bound the runs. The three ways to bound them 



^Exceptions being PTA witli or 1 clocks. 
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are 1) implicitly by time by specifying <=M (where M is a positive integer), 2) explicitly by cost with 
x<=M where a: is a specific clock, or 3) by number of discrete steps with #<=M. In the case of hypothesis 
testing pq is the probability to test for. The formula <p is either <> g or [] q where g is a state predicate. 

Probability Estimation This algorithm |[26l computes the number of runs needed in order to produce 
an approximation interval [p — e,p + e] for p = Pr{Y) with a confidence 1 — a. The values of e and a 
are chosen by the user and the number of runs relies on the Chemoff-Hoeffding bound. In Uppaal-SMC 
we use the following query: Pr [boundl (0) 

Probability Comparison This algorithm, which is detailed in ll2ll . exploits an extended Wald testing. 
In Uppaal-SMC, we use the following query: Vriboundx'] (0i)>= Vribound^] (<^>2)- 

In addition to those three classical tests, UPPAAL-SMC also supports the evaluation of expected 
values of min or max of an expression that evaluates to a clock or an integer value. The syntax is 
as follows: E{bound;N'\ (min:ex/7r) or E[bound;N'i (max : ex/jr) , where bound is as explained in this 
section, N gives the number of runs explicitly, and expr is the expression to evaluate. For this property, 
no confidence is given (yet). 

Full WMTL< Regarding implementation, the reader shall observe that both of the above statistical 
algorithms are trivially implementable. To support the full logic of WMTL<is slightly more complex 
as our simulation engine needs to rely on monitors for such logic. In [10], we proposed an extension of 
Uppaal-SMC that can handle arbitrary formulas of WMTL<. Given a property cp, our implementation 
first constructs deterministic under- and over-approximation monitoring PTAs for (p. Then it puts these 
monitors in parallel with a given model M, and apphes SMC -based algorithms to bound the probability 
that (p is satisfied on M. 

4 Graphical User Interface 

Besides short 'yes' or 'no' answers and probability estimates, Uppaal-SMC verifier also provides a 
few statistical measures in terms of time (or cost), including frequency histogram, average time (or 
cost), probability density distribution, cumulative probability distribution (the last two with confidence 
intervals, e.g. using the Clopper-Pearson method fl9fl ). 

These statistical data can also be superposed onto a single plot for comparison purposes using the 
plot composer tool. Figure |7] shows the superposed probability distributions of trains 0, 3 and 5 crossing 
from our train-gate example. On the left side of the plot composer window the user can select a particular 
data to be added to the plot and on the right side the user can see the superposed plot and can also change 
some details such as labels, shapes and colors. 

Monitoring Expressions Uppaal-SMC now allows the user to visualize the values of expressions 
(evaluating to integers or clocks) along runs. This gives insight to the user on the behavior of the system 
so that more interesting properties can be asked to the model-checker. To demonstrate this on our previ- 
ous train-gate example, we can monitor when Train (0) and Train (5) are crossing as well as the length 
of the queue. The query is simulate 1 [<=300] {Train(O) . Cross, Train(5) .Cross, Gate. len}. 
This gives us the plot of Figure[8l Interestingly Train(5) crosses more often (since ithas a higher arrival 
rate). Secondly, it seems unlikely that the gate length drops below 3 after some time (say 20), which is 
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Figure 7: Snapshot of the plot composer displaying three probability distributions. 



not an obvious property from the model. We can confirm this by asking Pr [<=300] (<> Gate . len < 
3 and t > 20) and adding a clock t. The probability is in [0.102,0.123]. 
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Figure 8: Visualizing the gate length and when Train(O) and Train(5) cross on one random run. 

As a second example to illustrate this feature, we consider the modeling of chemical reactions. Fig- 
ure |9ta) and |9tb) show two symmetric timed automata that model the concentrations of reactants a and 
b (here as integers). The exponential rate for taking the transition is given by the concentration of a and 
b. Figure |9tc) shows the evolution of the system when it is started with a=99 and b=l: a is consumed to 
produce b and vice- versa, and the concentrations oscillate. 

The simulations are obtained by querying simulate 1 [<=10] {a,b}. Figure|9tc) is showing one 
evolution of a and b over time. The tool can also plot clouds of trajectories, which is useful to identify 
patterns in the behavior, as shown in figure |9td). 

It is important to notice that generating such curves is not as trivial as it seems. In fact, on such 
models, if the exponential rates are higher, then the time steps are much smaller, which generates a lot 
of points, up to consuming several GB of memory. Drawing such plots is not practical. The tool would 
not work due to out-of-memory problems or in the best case will take around 30s to transfer the data and 
several seconds for every redraw. To solve this the engine applies an on-the-fly filtering of the points 
based on the principle that if two points are too close to each other to be distinguished on the screen, then 
they are considered to be the same. A resolution parameter is used to define the maximal resolution of 
the plot and eliminates the memory and speed problems completely (down to almost not measurable). 

This plot in Figure |6tb) is obtained by asking simulate 1 [<=12] {sin_t , cos_t} to the model- 
checker. Interestingly, Uppaal-SMC can generate a run bounded by any clock so we can also plot 
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simulate 1 [cos_t<=l] {sin_t} and obtain a circle as shown in FigureOc). 



5 Engine 

The actual techniques to achieve the current performance of the tool were never exposed before. In this 
section, we present a few key optimizations to implement the algorithms presented and new features that 
were not available in earlier versions of Uppaal-SMC. 

Distributed SMC The problem in distributing the implementation of the sequential SMC algorithm 
is that a bias may be introduced. The reason is that sequential testing relies on collecting outcomes of 
the generated runs on-the-fly. If some computation cores generate some accepting runs faster, which 
is possible if rejecting runs happen to be longer or simply more expensive to compute, then the result 
will be biased. The solution of this problem is to force all the cores to generate the same amount of 
simulations. The paper BOl proposes a method to ensure this by splitting the simulations into batches 
of the same size, and this method has been generalized and implemented in Uppaal-SMC |[T3l . The 
distributed implementation gives a linear speed-up in the number of cores used. 

Detection of States When choosing the delays, the engine does not know if it will skip the state that 
should be observed by the query or not. This problem is present when picking delays to take transitions as 
well. For example, the query could be <> A. critical and x >= 2 and x <= 3 where x is a clock. 
The engine should not delay 4 time units from a state where x=0 because the first possible transition is 
enabled at this point. Special care is taken to make sure that the formula is part of the next interesting 
points that are computed when choosing the delays. Now comes the question of how to detect those 
interesting points in both the formula and the guards. 

The technique we use follows the decorator pattern where we evaluate guards (for detecting which 
transitions will be enabled in the future) and formulas in the query to keep track of the lower bounds. 
We wrap a state inside a decorator state that keeps track of the constraints on-the-fly, only remembering 
the bounds that we need. The point of the technique here is to avoid symbolic states that would require 
zones typically implemented with different bound matrices. 

Early Termination The engine checks for query on-the-fly on every generated run. If a query is 
satisfied then the computation of the run is stopped before it reaches the specified bound. In addition, 
in order to give the user a way to stop runs earlier, the engine supports an until property: p U q can be 
queried instead of <> q and cut the runs as soon as p stops to hold. 



10 



Statistical Model Checking for Priced Timed Automata 



Dependencies and Reuse of Choice When a process takes an action, it may not affect other processes, 
which means that from a stochastic point-of-view, picking a new delay from scratch or reusing the old 
(random) choice is equivalent. The engine exploits this independence: it remembers the previous delays 
chosen by the processes and invalidates them when dependent transitions are taken. A process has its 
delay invalidated if there is a dependency with another transition being taken, which happens in case of 
synchronization or a dependency through a clock rate, invariant, guard, or update. A static analysis is 
made at the granularity of how transitions affect processed 

The result is that whenever a process needs to pick a delay, it does so. Whenever a process takes a 
transition, the processes that may be affected by it must pick a new delay at the next step. Otherwise, 
processes reuse their choices from the previous step in the simulatioi]^ 

Checking the query Pr[<=300](<> Train(O) . Cross and (forall (i:id_t) i!=0 imply 
Train(i) . Stop) ) to evaluate the 
probability of Train (0) crossing while 
all the others are stopped gives the res- 
ults in Table [T] for different numbers of 
trains. The results are obtained with the 
parameter e = 0.005 and the probabil- 
ity results agree with or without reuse 
within e. The experiments are made on 
a core i7 at 2.66GHz. This optimization 
is designed to improve on systems with large number of components, which is shown by the increasing 
improvement relative to verifications without reuse. 



Trains 


5 


10 


20 


40 


Proba. 


0.985-0.995 


0.286-0.297 


0-0.008 


0-0.005 


Time^ 


3.9s 


17.3s 


41.1s 


98.1s 


Time+ 


3.5s 


14.8s 


33.2s 


74.8s 


Gain 


10.2% 


14.4% 


19.2% 


23.8% 



Table 1: Probability and time results without (-) and with (-I-) 
reuse. 



6 Case-Studies 

In this section we evaluate the applicability of the developed techniques on practical case studies. 



Robot Control In paper fTOl we considered a case - explored in - of a robot moving on a two- 
dimensional grid. Each field of the grid is either normal, on fire, cold as ice or it is a wall which 
cannot be passed. Also, there is a goal field that the robot must reach. The robot is moving in a random 
fashion i.e. it stays in a field for some time, and then moves to a neighboring field at random (if it is not 
a wall). 

We are interested in the probability that the robot reaches its 
goal location without staying on consecutive fire fields for more 
than one time unit and on consecutive ice fields for more than 
two time units. This property is captured by the WMTL< formula 
9 = ((pi A <p2)U<iogoal, where t is a special clock that grows 
with rate 1 and is never reset, and: 



(P2 



ice 



; fire 



0<2 (f ir e V normal V goal) 
> <C><i (ice V normal V goal) 




F=lGoal 

Burned 
F~-1 Frozen 



3.6 6.7 
run duration in time 



Figure 10: Cumulative Probability 



We applied Uppaal-SMC to compute the probability of the robot reaching the goal (p, staying too 
long in the fire or too long on the ice. Figure [TO]shows the cumulative distribution for these probabilities. 



We judge that keeping track of the dependencies down to the locations may have a too large overhead. 
^If time elapses then of course the delays chosen are updated. 
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Firewire. IEEE 1394 High Performance Serial Bus or Firewire for short is used to transport multime- 
dia signals among a network of consumer devices. The protocol has been extensively studied (see li37l 
for comparison) and in particular [31] uses probabilistic timed automata in PRISM 130|. In paper f22l we 
adopt the model from 131] and demonstrate how Uppaal-SMC can be used to evaluate fairness of a node 



becoming a root (leader) with respect to 
Uppaal-SMC provides two methods for comparing probabilities: 
estimating the probabilities and then comparing them, or using 
indirect probability comparison from |[39l . which is more effi- 
cient. Figure [TT] contains a resulting plot of estimated probabil- 
ities (red and blue lines) and a comparison (yellow area). The red 
and blue probability estimates appear very close to each other in 
entire range, while the yellow area shows that at the beginning 
the probabilities are indistinguishable (yellow area is at 0.5 level), 
then the. fast node has higher probability to become a root (at 1.0 
level), and later the probabilities become too close to be distin- 
guishable again (at 0.5 level). 



the mode of operation. 
Probability comparison 



I I comparisor 
I — I slow 
F=lfast 



Figure 1 1 : Probability Comparison 




Bluetooth ||34l is a wireless telecommunication protocol using 
frequency-hopping to cope with interference between the devices 
in the wireless network. In paper [22J we adopted the model 
from |[23l . annotated the model to record the power utilization 
and evaluated the probability distributions of likely response times 
and energy consumption. Figure [12] shows that after 70s the cost 
of a device operation is at least 2440 energy units and the mean is 
about 2853 energy units. 



0.084 
0.063 
= 0.042 

XI 

nj 

■§0.021 
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energy 



3820 



4510 



Figure 12: Energy consumption. 



Lightweight Medium Access Protocol (LMAC) 113811 is a communication scheduling protocol based 
on time slot distribution for nodes sharing the same medium. The protocol is designed having wireless 
sensor networks in mind: it is simple enough to fit on a modest hardware and at the same time ro- 
bust against topology reconfiguration, minimizing collisions and power consumption. Paper [25 ] studies 
LMAC protocol using classical Uppaal verification techniques by systematically exploring networks 
of up to five nodes but the state space explosion prevents formal verification of larger networks. In 
paper |!2T1| we adopt the model by removing verification optimizations and parameterizing with probabil- 
istic weights, and show how collisions can be analyzed and power consumption estimated using statistical 
model checking techniques. The study showed that there are still perpetual collisions in a ring topology 
but the probability that the network will not recover 
is very low (0.35%). The likely energy consumption 
of different network topologies is compared in UP- 
PAAL plot (Figure [T3]). which shows that on average 
the likely energy consumption after 1000 time units 
in a ring is higher than in a chain by 10%, possibly 
due to more collisions in a ring. In [13 ] distributed 
techniques are applied in exploring over 10000 lar- 
ger networks of up to 10 nodes, the worst (star-like) 
and the best (chain-like) topologies in terms of col- 
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Figure 13: Likely energy consumption. 
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lisions are identified and evaluated. 



Computing Nash Equilibrium in Wireless Ad Hoc Networks One of the important aspects in design- 
ing wireless ad-iioc networks is to make sure that a network is robust to the selfish behavior of its parti- 
cipants, i.e. that its configuration satisfies Nash equilibrium (NE). 

In paper flTI we proposed an SMC-based al- #4*^^*** ^ * 

gorithm for computing NE for the case when net- 0.9 
work nodes are modeled by SPTA and an utility §:6 
function of a single node is equal to a probability || 
that the node will reach its goal. Our algorithm °o 
consists of two phases. First, we use Uppaal- 
SMC to find a strategy that most likely (heuristic) 1 
satisfies NE. In the second phase we apply statist- 
ics to test the hypothesis that this strategy actually Figure 14: Nash Equilibrium for Aloha CSMA/CD 
satisfies NE. 

We applied this algorithm to compute NE for Aloha CSMA/CD and IEEE 802.15.4 CSMA/CA 
protocols. Figure [14] depicts the utility function plot for the Aloha CSMA/CD protocol with two nodes. 
Here the p and p' axis correspond to the strategies of the honest and cheater nodes (a strategy defines 
how persistent these nodes are in sending their data). We see, that NE strategy is slightly less efficient 
than the symmetric optimal strategy (Opt), but it still results in a high value of the utility function. 




Duration Probabilistic Automata In EOl 

we compared Uppaal-SMC to Prism |[30l in 
the context of Duration Probabilistic Auto- 
mata (DPA) 131]. A Duration Probabilistic 
Automaton (DPA) is a composition of Simple 
Duration Probabilistic Automata (SDPA). An 
SDPA is a linear sequence of tasks that 
must be performed in a sequential order. 

Each task is associated with a dur- 
ation interval which gives the possible 
durations of the task. The actual dur- 
ation of the tasks is given by a uni- 
form choice from this interval. To 
model races between the SDPAs we 
introduce resources to the model such 
that an SDPA might have to wait for re- 
sources before processing a task. When 
two SDPAs are in waiting position for 
the same resource, a scheduler decides 
which SDPA is given the resource in a 
deterministic manner. 

The comparison with Prism was 
made by randomly generating models 
with a specific number of SDPAs and a 



start — '^\^^^^^^^ 
start — *{ 'iiJf? h 



[ri = 4] 
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Figure 15: Rectangles are busy states and circles are 
for waiting when resources are not available. There are 
ri = 5 and r2 = 3 resources available. 
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Table 2: Performance of SMC (sec). The n column is the num- 
ber of SDPAs, the k column is the number of tasks per SDPA 
and the m column is the number of resource types in the model. 
U pp is the Uppaal model that matches Prism, U pd the dis- 
crete encoding and U pc the continuous time encoding. 
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specific number of tasks per SDPA and translate these into Prism and Uppaal models. The Prism model 
uses a discrete time semantics whereas three models were made for Uppaal- one with continuous time 
semantics, one that matches the Prism model as close as possible and one with discrete semantics that 
makes full use of our formalism. 

The queries to the models were What is the probability of all SDPAs ending within t time units (Estima- 
tion)and Is the probability that all SDPAs end within t time units greater than 40% (Hypothesis testing). 
The value of t is different for each model as it was computed by simulating the system 369 times and 
represent the value for which at least 60% of the runs finished all their tasks. 

The result of the experiments are shown in Table |2] and indicates that Uppaal is notably faster than 
Prism, even with a encoding that closely matches that of Prism. 




Checking of Distributed Statistical Model Checking 

As we wrote in Section [5l a naive (and incorrect) dis- 
tributed implementation of the sequential SMC algorithms 
might introduce a bias towards the results that are gener- 
ated by shorter simulations. 

The interesting question is how much this bias affects 
the SMC results. In the paper fT2l we answered this ques- 
tion by modeling the naive distributed SMC algorithm in 
Uppaal-SMC itself. The comparison was made on the 
basis of the SPTA model that ends up in the OK location 
after 100 time units with probability 0.58, otherwise it 
ends up in the NOK location after 1 time unit (thus pro- 
ducing NOK requires 100 times less time than producing 
OK). 

We used Uppaal-SMC to compute the probability that the naive distributed SMC algorithm will 
accept the hypothesis Pr [<=100] (0 OK) > 0.5. The results for the different numbers of computational 
cores are given in the plot at Figure [16] The x axis denotes the total number of runs of the SPTA model 
on all the cores, and the y axis depicts the probability that an SMC algorithm accepts the hypothesis not 
later than after this number of runs. It can be observed that the probability of accepting the hypothesis 
tends (incorrectly) to as the number of computational cores increases. 



170 250 
runs 



Figure 16: Probability distributions ob- 
tained with 1, 5, 10, and 20 cores. 



7 Conclusions 

This paper gives an overview of the features of Uppaal-SMC, our new efficient extension of UPPAAL 
for Statistical Model Checking. Contrary to other existing SMC-based tool-sets, Uppaal-SMC allows 
to handle systems with real-time features. The tool has been applied to a series of case studies that are 
beyond the scope of classical model checkers. As has been outlined in this paper, Uppaal-SMC has a 
large potential for future work and applications. 

Among others, the following extensions of Uppaal-SMC are contemplated. 



Floating Point So far the support of floating point is done via misusing and extending clock operations. 
A better and more general support is needed since the tool has now departed from traditional timed 
automata and model-checking. 
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Since the tool now supports floating point aritiimetic and we can integrate complex functions, it is 
a natural extension to add differential equations as well to support hybrid systems in a more general 
way. To fit with the stochastic semantics (in particular how to pick delays), only simple equations whose 
analytical solutions are known are planned. 

New Applications With the extended expressivity of our hybrid modeling language, our tool can be 
applied to different domains, in particular for biological systems. Uppaal-SMC now offers powerful 
visualization capabilities needed by biologists and a logic to do statistical model-checking. 

Another application is to analyze performance of controllers generated by UPPAAL-TIGA [6], in 
particular their stability or energy consumption. SMC can also be used in the domain of refinement 
checking, which is in the end just another type of game. 

Rare Events Statistical model checking avoids the exponential growth of states associated with prob- 
abilistic model checking by estimating properties from multiple executions of a system and by giving 
results within confidence bounds. Rare properties are often very important but pose a particular chal- 
lenge for simulation-based approaches, hence a key objective under these circumstances is to reduce the 
number and length of simulations necessary to produce a given level of confidence. Importance sampling 
is a well-established technique that achieves this, however to maintain the advantages of statistical model 
checking it is necessary to find good importance sampling distributions without considering the entire 
state space. Such problem has been recently investigated for the case of discrete stochastic systems. As 
an example, in [28] we presented a simple algorithm that uses the notion of cross-entropy to find the 
optimal parameters for an importance sampling distribution. Our Objective is to extend our results to 
PTAs by exploiting pure timed model checking to improve the search for efficient distribution. 
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